1. Field of the Invention
The present invention relates to the field of smart cards. More particularly, the present invention relates to personalizing multi-application smart cards.
2. Description of Related Art
The challenge of identifying or authenticating a person on a local computer, or on the other end of a communication session, or in the role of the sender of a message, is a recurring theme in e-business. A typical solution uses user authentication methods based at least in part on passwords or personal identification numbers (PINs). A password or PIN is a word or code used as a security measure against unauthorized access to data.
Typically, a user obtains a PIN as part of an enrollment process with a service provider. In this enrollment process, the service provider assesses user-supplied information and decides whether to provide the service to the user. If the service provider decides to provide service, the service provider issues a PIN to the user.
After enrolling with the service provider, the user uses the PIN to obtain access to the service. The user interface in this case consists of a prompt for a PIN. The user is typically allowed a fixed number of unsuccessful PIN attempts before user access is blocked.
A PIN or password is typically the primary means by which an individual user indicates authorization based at least in part on an intelligent thought process performed by the user. The user must recall the PIN from the user's memory and enter the digits corresponding to the PIN to obtain access to a service.
PINs are often difficult to remember, especially when a user uses more than one PIN to access different services. A user may create a written copy of the PIN or PINs in an attempt to remember them. However, such a practice degrades security because the paper containing the PIN or PINs can be stolen or forwarded freely. Thus, static PIN-based user authentication mechanisms alone provide a relatively low level of security.
An improved form of user authentication is made possible by using a smart card or a magnetic stripe card in conjunction with a PIN. This is sometimes referred to as “two-factor” user authentication, combining “what you have” (the physical smart card) with “what you know” (the password needed to use the smart card). Because both possession of the smart card and knowledge of the PIN are required, two-factor user authentication can provide a higher level of security than user authentication based at least in part on a PIN or on a card alone.
FIG. 1 is a block diagram that illustrates a typical mechanism for PIN management using a magnetic stripe card. A service provider 150 maintains a centralized cardholder database 110 that includes a primary account number (PAN) and an associated PIN for each cardholder. A cryptographic algorithm is typically used to generate the PIN based at least in part on a cryptographic key 140, PAN 120 and possibly other data 135. The PAN for a user 100 is written on a magnetic stripe 115 of a magnetic stripe card 105, and magnetic stripe card 105 is provided to user 100.
User 100 gains access to the account associated with card 105 by presenting magnetic stripe card 105 to a card reader (also known as a card acceptance device (CAD) or terminal) 155 in communication with centralized cardholder database 110 and by entering a PIN 145. Terminal 155 is referred to as an “untrusted” terminal because user 100 has little effective control of terminal 155. Terminal 155 may be implemented using a PC or as a standalone device.
Centralized cardholder database 110 grants user 100 access to the account if the PAN on magnetic stripe card 105 matches a PAN 120 in the database 110 and if PIN 145 entered by user 100 matches PIN 125 that is associated with PAN 120 in database 110.
FIG. 2 is a block diagram that illustrates a typical mechanism for personal identification number (PIN) management using a smart card 205. Unlike magnetic strip card 105, smart card 205 may include a CPU (central processing unit). Such a smart card can process data such as a PIN locally on the smart card. This processing may include PIN verification. Once a user is authenticated to the smart card, the smart card can be used to obtain access to a service.
As shown in FIG. 2, smart card 205 includes multiple vendor applications 235, 240, 290, each of which may use the same PIN to control access to a service. Smart card 205 also includes an issuer applet 215 provided by the smart card issuer, an agent of the smart card issuer, or a commercially-agreed provider of the applet. Issuer applet 215 includes PIN comparator 220 that compares PIN 270 entered by an end-user 200 with a validated PIN 230. Typically, PIN comparator 220 allows a fixed number of unsuccessful PIN tries before access is blocked. This is illustrated below with reference to FIG. 3. Once access is blocked, end-user 200 must present smart card 205 to service provider 280. Service provider 280 maintains information about smart card 205 that allows smart card 205 to be reset. In one solution, service provider 280 maintains a super PIN 290 that allows smart card 205 to be reset typically based at least in part on cryptographic protocols.
Turning now to FIG. 3, a flow diagram that illustrates a method for personal identification number (PIN) management is presented. The processes illustrated in FIG. 3 may be implemented using hardware, software, firmware, or a combination thereof.
At check operation 300, a PIN from a user is received. At check operation 305, a determination is made whether a try counter has exceeded a maximum number of try attempts. If the maximum number of try attempts has been exceeded, the smart card is set to block access at operation 310. If the maximum number of try attempts has not been exceeded, the try counter is incremented at operation 315 and a determination whether the user-entered PIN matches a validated PIN is made in check operation 320. If the user-entered PIN matches the stored PIN, access is allowed at operation 325. If the user-entered PIN does not match the validated PIN, additional PIN tries are accepted beginning at operation 300. This process continues until the maximum number of try attempts has been exceeded.
Unfortunately, maintaining a PIN in a centralized database 110, 210 that is beyond user control makes PINs vulnerable to misuse by a service provider 150, 280 or vulnerable to interception while in transit between terminal 155, 285 and service provider 150, 280. Such misuse and/or interception will be come a greater problems as use of smart cards becomes more widespread.
Referring again to FIG. 2, a generic smart card 205 is bound to an individual end-user 200 in a process called “Personalization”. Smart card 205 may have surface applications, which are sometimes referred to as external applications. Smart card 205 may also have internal applications 235, 240, 290.
A surface application, sometimes called an external application, is an application including data on an outer surface of smart card 205 that binds smart card 205 to individual end-user 200. Exemplary external applications include a printed name and a picture of end-user 200.
An internal application 235, 240, 290 is an applet that performs a function based at least in part on data stored on or outside smart card 205. One of the functions may be to bind smart card 205 to an individual user 200, for example by storing information such as a user name, a password or PIN, an address, or a social security number.
If the name of the end-user stored inside smart card 205 is not the same as the name on the outside of smart card 205, smart card 205 is rendered practically useless because credentials for different users—the name on the outside and the name on the inside—do not match when smart card 205 is presented for access to a service. This is a potential source of loss of smart card 205.
Additionally, the personalization of multi-application smart cards differs from traditional smart card personalization in that privacy and commercial considerations require no single application be responsible for the entry and control of personal data, and in that such personalization can happen after the smart card has been issued to a user. Allowing an applet from one commercial entity to control more aspects of the user than an applet from another commercial entity makes business relationships between the other commercial entities having applets on the smart card asymmetric; the entity that controls the user of data is more important and has more control over the user than the other units who have only the customer in common.